I do a login with Lock and request a id_token with CURL. It’s all ok until I want to decode the id_token with verifyAndDecode.
I get an error “This token is not intended for us” that I verified is a aud that not match with my clientID, but in JWTVerifier config I have setting it right.
For security I have a verify in jwt.io of the id_token returned from login and with my client secret I get “Signature Verified”, so I can’t understand because of this error.
$verifier = new JWTVerifier( 'valid_audiences' => 'MY_CLIENTID', 'client_secret' => base64_encode('MY_CLIENT_SECRET'), ]); $decoded = $verifier->verifyAndDecode($response'id_token']);